3.10.5.1 Responder Receiving an Encapsulated Authenticated Firewall Connection Packet

On receiving an IPSec encapsulation packet, the responder processes the packet as defined in [RFC2402] or [RFC2406] for AH or ESP encapsulation, respectively. If the packet IPSec processing succeeded, and IsAuthenticatedFWSA is set to TRUE for the SA that secured that packet (section 3.1.1), then the responder MUST set the authFWAuthorized flag in the corresponding entry for this connection in the connection state table to TRUE, and the responder MUST drop this packet.